MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 262df2047b1eb08b3e58a1edc2823e38563c42d74027a7ecfa2a6a8c7f1f1541. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 262df2047b1eb08b3e58a1edc2823e38563c42d74027a7ecfa2a6a8c7f1f1541
SHA3-384 hash: c8538735ce2c5f5e3a8e94818a4205cc6f48a0e2349d07dc7604929b29020ac800c527bf28d3f2f60a39628dccb1c80a
SHA1 hash: 7bad3d69602f2d0d29cbe90fd74c16c7c272d4c5
MD5 hash: 30417bb4865702959e21e91c10658a9c
humanhash: oklahoma-juliet-stairway-alanine
File name:Quote prices in usd.exe
Download: download sample
Signature MassLogger
Create hunting rule
File size:911'872 bytes
First seen:2020-08-13 08:28:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:2safM0DG9Kk2YzQFiaLqrN17LKmNaaj0TUQv2:2saJ69K/YkVcvK
Threatray 527 similar samples on MalwareBazaar
TLSH 27152352A74A5252D5852FFF689824C907F2D3C8F12BE7F12CD4C56CB5223C6E788B26
Reporter abuse_ch
Tags:exe MassLogger


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mailsnd1.chol.com
Sending IP: 203.252.1.122
From: 김진현 <www88@chol.com>
Subject: FW:RE:Re:?Alibaba_Inquiry_Notification?Kim_from_South_Korea_has_sent_you_an_inquiry
Attachment: Quote prices in usd.zip (contains "Quote prices in usd.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/425459
Signature
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 265295 Sample: Quote prices in usd.exe Startdate: 14/08/2020 Architecture: WINDOWS Score: 72 25 Yara detected MassLogger RAT 2->25 27 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->27 29 Machine Learning detection for sample 2->29 31 2 other signatures 2->31 8 Quote prices in usd.exe 2 2->8         started        process3 signatures4 33 Injects a PE file into a foreign processes 8->33 11 Quote prices in usd.exe 3 8->11         started        process5 file6 21 C:\Users\user\...\Quote prices in usd.exe.log, ASCII 11->21 dropped 14 cmd.exe 1 11->14         started        process7 process8 16 powershell.exe 17 14->16         started        19 conhost.exe 14->19         started        signatures9 23 Deletes itself after installation 16->23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/262df2047b1eb08b3e58a1edc2823e38563c42d74027a7ecfa2a6a8c7f1f1541/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 08:30:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eyw7ebd3d2yiwpsyuhw4far6hbldyqwxiat2p3h2fjviy7y7cvaq._file
Verdict:
unknown
Similar samples:
02fcb6cdd4b61cbf7f40448784a36d0067e618cac935aebf6fd6f482af076ba3
MassLogger
114ba0c81a5ac12f589504d2693d6cb0a845e119bf305fc9eb7b8e756b385f91
MassLogger
1c989f633edcaea6e97a4a96f8a1f9ed19d54ed109cfaf1053a67dc48d28fd52
MassLogger
20ec6cdb323f2e2eea0bfb107e820a079a41a3fc6afdf8378de930d7aa7b4160
MassLogger
49624f5c771ea1f722d434fe9ddb5985529f67ebb0398ed54f5565ba5e470251
MassLogger
4c172115335644672c3a6ef0b6db25528e124eed105da496db95f2672d7120ea
MassLogger
7cfa62ab7a592f04b4268ad35e2a90739666f9d5e91eaa5808dd8ba11239f43d
MassLogger
9dfba413d306830589105d96b90b5ea870b1975bd371350635ea1c2b591bcbd8
MassLogger
ef30ffc2d3ba3ec27cfaee6dd4e86f0fa4e2c8799e341affa924e0763d51ed1a
MassLogger
fc9d50ccd0d0a267f1fa1003607ea81931a9c1f857798c3b10af9b5408f01437
MassLogger
+ 517 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
ransomware spyware stealer family:masslogger
Link:
https://tria.ge/reports/200813-82mcclsjn2/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/262df2047b1eb08b3e58a1edc2823e38563c42d74027a7ecfa2a6a8c7f1f1541

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

zip eac6e4d70ae24e07617be14a898f672ea220b5e359be285bf1231f13f014eaa9

MassLogger

Executable exe 262df2047b1eb08b3e58a1edc2823e38563c42d74027a7ecfa2a6a8c7f1f1541

(this sample)

  
Dropped by
MD5 da71d0a9e6d619cfe63ebac41d7d7164
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/44963/
  
Dropped by
SHA256 eac6e4d70ae24e07617be14a898f672ea220b5e359be285bf1231f13f014eaa9

Comments